santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Bishop <bisho...@gmail.com>
Subject Re: Resolver Issues with Enveloped Signature?
Date Wed, 16 Mar 2011 00:57:41 GMT
I've gotten most of my guidance thus far from the samples in the Santuario
source.  Is there a specific one that I've missed that exemplifies multiple
signatures for multiple content using "enveloped" signatures?

On Tue, Mar 15, 2011 at 1:37 AM, Eric Johnson <eric@tibco.com> wrote:

>  If I understand your question correctly, just look at some of the test
> cases in the code itself, and I suspect you'll find examples of what you
> want to do pretty quickly - as well as the code to work with the items in
> question. Look in the "data" folder for a document that closely matches what
> you want.
>
> -Eric.
>
>
> On 3/14/11 5:45 PM, Michael Bishop wrote:
>
> What an enveloped signature signs has to do with what it's reference(s)
>> point to rather than where it is located.
>>
>
> OK, I think I'm getting the idea here.  So, if we take the example of a
> "guest book", where each person who signs the guest book only signs his/her
> entry, we must use references.
>
> <guestbook>
>     <!-- Chuck's entry in the guest book. -->
>     <entry id="chuck"/>
>
>     <!-- Jane's entry in the guest book. -->
>     <entry id="jane"/>
>
>     <!-- Giles' entry in the guest book. -->
>     <entry id="giles"/>
>
>     <!-- Chuck's signature that signs his entry. -->
>     <ds:Signature>
>         <ds:Reference URI="#chuck"/>
>     </ds:Signature>
>
>     <!-- Jane's signature that signs her entry. -->
>     <ds:Signature>
>         <ds:Reference URI="#jane"/>
>     </ds:Signature>
>
>     <!-- Giles' signature that signs his entry. -->
>     <ds:Signature>
>         <ds:Reference URI="#giles"/>
>     </ds:Signature>
> </guestbook>
>
> In the above example, those signature could live anywhere (I guess in a
> true "enveloped" environment, they would live inside the <entry> elements),
> as long as they point to the proper URIs.  Are those the proper URIs?  How
> do you tag content with reference points?  Do I have to use a <ds:Object>
> element to do that as in enveloping signatures?
>
> Basically, how do I properly sign multiple content with multiple signatures
> in the same document?  Are there any good references I can read through?
>
> Thanks,
>
> Michael
> On Sat, Mar 12, 2011 at 1:21 AM, Malcolm Young <malcolm.young@gmail.com>wrote:
>
>> What an enveloped signature signs has to do with what it's reference(s)
>> point to rather than where it is located. The enveloped part simply
>> indicates it is "somewhere" within the signed content and will need to be
>> removed prior to processing.
>>
>> And yes -  same document references are usually represented with an empty
>> uri which means the entire content is signed or an X-Pointer reference to an
>> ID (like Uri="#_someID") which means the element with the ID value AND ALL
>> of it's descendants will be signed. Again, this has nothing to do with WHERE
>> in the document the signautre element is.
>>
>> Cheers,
>>
>> mal
>>
>> On Sat, Mar 12, 2011 at 2:37 PM, Michael Bishop <bishopmw@gmail.com>wrote:
>>
>>> An enveloped signature is over the data that contains the Signature
>>>> element.
>>>>
>>>
>>> Can you elaborate on this?  Here's an example.
>>>
>>> <root>
>>>     <content/>
>>>     <ds:Signature/>
>>> </root>
>>>
>>> What is signed here?  <root>?  Or both <root> and <content>?
>>>
>>> <root>
>>>     <content>
>>>         <ds:Signature/>
>>>     </content>
>>> </root>
>>>
>>> I would assume that in this case, only <content> is signed.
>>>
>>> I understand that typically, an enveloped signature signs the content
>>> represented by its parent.  But does it sign the parent AND all the parent's
>>> children?
>>>
>>> <root>
>>>     <content/>
>>>         <subContent/>
>>>     </content>
>>>     <moreContent>
>>>         <subContent/>
>>>     </moreContent>
>>>     <ds:Signature/>
>>> </root>
>>>
>>> I would assume this signature signs the entire document.  If not, how
>>> would I do that?
>>>
>>> Thanks,
>>>
>>> Michael
>>>
>>> On Wed, Mar 9, 2011 at 10:00 AM, Michael Bishop <bishopmw@gmail.com>wrote:
>>>
>>>> OK, this is now issue 265 in the Santuario project.  I attached a test
>>>> case and the certificate I'm using for the test.  Thanks for checking into
>>>> it.
>>>>
>>>> Michael
>>>>
>>>>
>>>> On Wed, Mar 9, 2011 at 4:47 AM, Colm O hEigeartaigh <
>>>> coheigea@apache.org> wrote:
>>>>
>>>>> Can you create a test-case and attach it to JIRA and I'll take a look?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Colm.
>>>>>
>>>>> On Tue, Mar 8, 2011 at 8:57 PM, Michael Bishop <bishopmw@gmail.com>
>>>>> wrote:
>>>>> > Hello,
>>>>> >
>>>>> > I'm having a problem with created an enveloped signature.  I was
able
>>>>> to
>>>>> > create an enveloping signature just fine, but the enveloped signature
>>>>> hangs
>>>>> > on the XMLSignature.sign(privateKey) method for a long time, before
>>>>> throwing
>>>>> > an error.
>>>>> >
>>>>> > I was able to figure out what the error was; by default, the
>>>>> > XMLSignature.sign(privateKey) method was trying to access
>>>>> > http://www.w3.org/2000/09/xmldsig#rsa-sha1 and failing.  I can pull
>>>>> that up
>>>>> > in my browser, so I don't know why it's hanging there.  I didn't
have
>>>>> this
>>>>> > issue with an enveloping signature.
>>>>> >
>>>>> > I wrote an extension of ResourceResolverSpi and mapped
>>>>> > http://www.w3.org/2000/09/xmldsig#rsa-sha1 to point to the schema
>>>>> included
>>>>> > in the XML Security JAR file.  That works fine, but I'm wondering
>>>>> what the
>>>>> > best solution is, and why enveloped signatures need to access this
>>>>> URL at
>>>>> > all?
>>>>> >
>>>>> > I can provide code as needed if it's necessary.
>>>>> >
>>>>> > Thanks,
>>>>> >
>>>>> > Michael Bishop
>>>>> >
>>>>>
>>>>
>>>>
>>>
>>
>

Mime
View raw message